Vulnerable Program: ibillpm.pl Perl CGI script Distributed by: iBill Internet Billing Company, http://www.ibill.com Problem: iBill hard codes a weak password for the user management script, ibillpm.pl, installed for clients that use the Password Management system. The weak password is the client's MASTER_ACCOUNT (which can be viewed in the HTML of the site's signup pages) plus only 2 letters that are lower-case (aa - zz). This allows a brute force POST to easily add/delete/chgpwd of users in the .htpasswd file. The CGI keeps no auditing record of what changes it makes, nor does the web log file indicate what username was added to the system (doesn't log POST data). In addition, the requests in the web log file all have HTTP response code 200, which usually doesn't indicate problems in error_log. Impact: This allows an attacker to bypass the billing system and add an arbitrary username/password to a website's "member" section. Thousands are estimated to use the default setup. Vulnerable Applications: Websites that use iBill's Password Management CGI script, ibillpm.pl, using default setup process performed by iBill. Vulnerable OS: Unix based. Non-vulnerable Applications: Websites that do not use iBill's Password Managment system, or use more secure settings other than default. Non-vulnerable OS: WindowsNT/2000 or other systems not capable of running ibillpm.pl Perl CGI. How this was found: During installation and security audit for a client's website. Workarounds: 1) Move the script to a less obvious place than the default so it's harder to find (don't forget to change the path at the iBill admin website). 2) Request that iBill set a more secure password for the ibillpm.pl script. 3) Change your webserver config (httpd.conf for Apache) to only allow addresses from .ibill.com to access the path to ibillpm.pl. See your webserver documentation for details on how to do this. See attached exploit source code.
This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 14:42:45 PDT